Folks, Robert Coup has noticed a security problem with the OGR WCTS service. As I am not aware of anyone using it, and it hasn't been maintained for a while, I'm going to move it to "svn spike" from trunk and added a small warning about it there. Anyone actually running this as a service may want to review the notes added to the index.html and/or talk to Robert. If there is desire to keep this in the GDAL/OGR distribution let me know and we could work on a fix.
The brief (incomplete) description follows, and the code can now be found at: http://svn.osgeo.org/gdal/spike/wcts/ <h2><a id="security">Security Concern</a></h2> The OGR WCTS server has been moved to "spike" due to lack of maintenance and a non-trivial SSRF security bug. In light of this problem, it is advised that this service only be used with caution. Robert Coup describes it this way: <p> <i> If the WCTS stuff is compiled with -DHAVE_CURL, then the ogrwcts process is vulnerable to SSRF. The wctsclient process (which looks to me like a cgi server) is always vulnerable, since it doesn't care about -DHAVE_CURL.<p> (a) Either passing in a user-supplied URL which isn't validated before requesting it - this leaves "internal" http services which should only be readable to the server readable to any client.<p> (b) Using a redirect to the gopher protocol a client can send HTTP POST requests or other payloads to any host accessible to the server. *Why* curl enables the gopher protocol is beyond me, but it does.<p> We can protect against (b) by disabling redirect-following (CURLOPT_FOLLOWLOCATION=0). But we can't really protect against (a) at all without adding some black/whitelist of IP addresses.<p> Steps to reproduce:<p> Overview: <ol> <li> send evil request to wctsclient or ogrwcts services <li> wcts requests client-specified http url (via <FileUrl> in ogrwcts, or WCTSServer/GMLURL in wctsclient) <li> either that reveals private inf </ol> </i> Best regards, -- ---------------------------------------+-------------------------------------- I set the clouds in motion - turn up | Frank Warmerdam, warmer...@pobox.com light and sound - activate the windows | http://pobox.com/~warmerdam and watch the world go round - Rush | Geospatial Software Developer
_______________________________________________ gdal-dev mailing list gdal-dev@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/gdal-dev